Re: [CentOS] nsswitch.conf question
Am 11.01.2016 um 21:44 schrieb Nicholas Geovanis : > I find the passwd, shadow and group lines in my CentOS 7 /etc/nsswitch.conf > file specify "files sss". I'm not familiar with the "sss" source, would > someone please give me an idea what that is? Many thanksNick https://fedorahosted.org/sssd/ -- LF ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] nsswitch.conf question
Am 11.01.2016 um 21:44 schrieb Nicholas Geovanis: I find the passwd, shadow and group lines in my CentOS 7 /etc/nsswitch.conf file specify "files sss". I'm not familiar with the "sss" source, would someone please give me an idea what that is? Many thanksNick https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/SSSD-AD.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html Alexander ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] nsswitch.conf question
I find the passwd, shadow and group lines in my CentOS 7 /etc/nsswitch.conf file specify "files sss". I'm not familiar with the "sss" source, would someone please give me an idea what that is? Many thanksNick ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] X and NUC5i3ryk on 7.2
I just received my NUC5i3 and tried to get X working using 7.2, it has Intel HD 5500 graphics. Not so much... lspci | grep VGA provides 0:02.0 VGA compatible controller: Intel Corporation Broadwell-U Integrated Graphics (rev 09) I download this package xf86-video-intel-1-2.99.917+519+g8229390-1-x86_64.pkg.tar.xz rebooted and X is running - but not "well". Tried to play a 1080p video and its jerky. Do I not have the correct setup yet? Anyone have the NUC5i3 and have X running correctly? Any thoughts, Thanks so much. jerry ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS-6 : DNS resolver for ssh chrooted accounts.
On Jan 11, 2016, at 10:25 AM, James B. Byrne wrote: > > Our firm uses a dedicated virtual host to provide ssh tunnels for > remote employee access to various internal services and for http/s > access to the outside world. For security reasons I would like to > have the remote users forward their dns lookups over the tunnel as > well. If by “ssh tunnel” you mean -L and -R, then you can’t do this. Those only support TCP, but you need UDP for DNS. DNS can also run over TCP, but it’s basically only done for bulk transfers, like zone updates between DNS servers. There may be a way to force your client OS’s DNS resolver to TCP-only, but you’ll miss out on third-party resolvers like the ones in Firefox and Chrome. (Yup! They don’t use the OS’s DNS resolver!) Another option with SSH is SOCKS5, which *does* support UDP, but requires that all the programs that use it speak SOCKS, which has been a dying protocol since NAT routers became common. FreeBSD and Mac OS X have OS-level SOCKS support that can force *most* application traffic across the configured SOCKS link, but as far as I can tell, such an OS-level SOCKS setting does not exist on Windows and Linux. Some Windows apps obey IE’s proxy settings, but it’s not universal, and on Linux, it’s pretty much every app for itself. SOCKS and SSH tunnels are fine for ad hoc VPN-like behavior, but if you really need to force all traffic through the tunnel, John’s right: a proper VPN is the correct solution. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS-6.7, kvm bridges, virtual interfaces, and routes
On 01/11/2016 09:34 AM, James B. Byrne wrote: In other words, with the address configuration given above, will traffic from 192.168.51.200 reach 192.168.51.100 via the cross-over cable between 192.168.51.42/192.168.51.41? Yes. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS-6 : DNS resolver for ssh chrooted accounts.
On 1/11/2016 9:25 AM, James B. Byrne wrote: Our firm uses a dedicated virtual host to provide ssh tunnels for remote employee access to various internal services and for http/s access to the outside world. For security reasons I would like to have the remote users forward their dns lookups over the tunnel as well. However, we recently chrooted a number of ssh users and these accounts cannot resolve dns queries passed over the tunnel. use a proper VPN, like OpenVPN. ssh tunnels have way too many limitations. -- john r pierce, recycling bits in santa cruz ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS-6.7, kvm bridges, virtual interfaces, and routes
On Sat, January 9, 2016 19:48, Gordon Messmer wrote: > On 01/09/2016 03:30 PM, isdtor wrote: >> Search for policy routing. > > Policy routing isn't relevant. > > In order to communicate across a LAN, two hosts must be in the same > broadcast domain. Hosts in 192.168.51.0/24 cannot communicate with > hosts in 192.168.52.0/24. > > If I have all of the kvm guests on both hosts, together with the br0 bridge on both hosts, configured with addresses on the same a.b.c.0/24 network then will all communication on a.b.c.0/24 pass over br0 if the target address is on the other host? kvmh1g1 eth0=192.168.51.100 kvmh1 br0=192.168.51.41 kvmh2 br0=192.168.51.42 kvmh2g1 eth0=192.168.51.200 In other words, with the address configuration given above, will traffic from 192.168.51.200 reach 192.168.51.100 via the cross-over cable between 192.168.51.42/192.168.51.41? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-6 : DNS resolver for ssh chrooted accounts.
Our firm uses a dedicated virtual host to provide ssh tunnels for remote employee access to various internal services and for http/s access to the outside world. For security reasons I would like to have the remote users forward their dns lookups over the tunnel as well. However, we recently chrooted a number of ssh users and these accounts cannot resolve dns queries passed over the tunnel. I infer from previous experience that the necessary libraries/binaries are not installed in the chroot home. I can install whatever is missing using yum --installroot=[path/to/chroot/home] but what I cannot determine is exactly what package(s) is/are required. What is the minimal package set needed to enable chrooted users to perform dns lookups on CentOS-6? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Learned something today
On Mon, January 11, 2016 9:38 am, Gordon Messmer wrote: > On 01/11/2016 06:50 AM, Always Learning wrote: >> Why not, on start-up, create a 'ram disk' and do your sensitive work in volatile RAM or is this what 'tmpfs' implies ? > > I think that's what OP expected tmpfs to be, but it should be noted that tmpfs *can* be swapped to disk, so it should not be used for data that you don't want to ever hit non-volatile storage (unless you have no swap space). One thing just asks to be added: "volatile" memory is not that volatile, so relying purely on keeping sensitive stuff in plain text in volatile memory may be not too good idea. Still, it is much more secure that the case when sensitive data may hit the hard drive. What I mention, is best explained here (the whole paper is very instructive, for RAM go directly to chapter 8): https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html Valeri Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Learned something today
On 01/11/2016 06:50 AM, Always Learning wrote: Why not, on start-up, create a 'ram disk' and do your sensitive work in volatile RAM or is this what 'tmpfs' implies ? I think that's what OP expected tmpfs to be, but it should be noted that tmpfs *can* be swapped to disk, so it should not be used for data that you don't want to ever hit non-volatile storage (unless you have no swap space). ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Learned something today
On Sun, 2016-01-10 at 06:52 -0800, Alice Wonder wrote: > For me, I only need /tmp as tmpfs on my Bitcoin box - and then only when > generating private keys for cold storage, SSDs are often not very good > at securely deleting files. So I use tmpfs for /tmp and generate the > private keys for cold storage to a file in /tmp and then print it from > there (for storage in safe deposit box) - so that the private keys can't > be recovered from the SSD. Why not, on start-up, create a 'ram disk' and do your sensitive work in volatile RAM or is this what 'tmpfs' implies ? -- Regards, Paul. England, EU. England's place is in the European Union. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 3.8 Server Questions, SeaMonkey Mozilla and Java
On 01/09/2016 01:59 PM, H wrote: > But I did not ask for a current version of Centos to support my usecase, did > I? All I can tell you is that CentOS 3.(anything) is no longer secure at all. If this machine in any way touches the internet, expect that it will be hacked. You can try to minimize the issues by only opening ports that are absolutely required, but there issues that would be rated critical if that branch was being maintained. On top of that, java is one of the least secure packages out there, and they have critical updates all the time .. which means if that is what you want to do on this box, then it is doubly insecure. But that is your call, not mine. EPEL was never released for RHEL-3 / CentOS-3 (that I can find). There were not even any of these extra packages for EL3: http://centos.karan.org If you must use a CentOS-3.x .. you should use 3.9, which is 3.8 + the updates from here: http://vault.centos.org/3.9/updates/ But, I want to reiterate, it will in no way be even close to secure. Thanks, Johnny Hughes signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to correct LiveKDE stick?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/01/16 13:10, Timothy Murphy wrote: > CentOS-7-x86_64-LiveKDE-1511.iso crashes on my AMD/ATI Radeon > machine. I installed CentOS-7.2 by first installing > CentOS-7-x86_64-LiveKDE-1503.iso, then appending > GRUB_CMDLINE_LINUX_DEFAULT="initcall_blacklist=clocksource_done_booting" > > to /etc/default/grub and running update-grub. > > My question is: would there be any way, short of re-compiling the > ISO, of altering the grub.cfg seen when booting from a USB stick? > That issue is very specific to some older/lighter AMD cpus, and the bug report is here : https://bugs.centos.org/view.php?id=9860 (probably where you found the workaround) I don't think that it's worth a respin, nor a custom iso for that issue, as one can just edit the Live image boot parameters (through isolinux config), and then apply the parameter through grub (as you did) - -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlaTbdoACgkQnVkHo1a+xU4TlwCgmB/cZqBBLZE/XbCRJtDJ2Loi YaUAn15wJ536vFbRBrSjejlv065bcXtR =7/fG -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos